02-06-2013 11:01 AM - edited 03-07-2019 11:33 AM
Hi Everyone,
I read to use standard ACL to permit only IP address of your SNMP agent machines.
Does this mean that switches running SNMP ?
Say here Switch has IP 192.168.10.3 Management IP
When i check ACL on switch it does not show switch IP address under acl permit
access-list 96 permit 192.168.10.3
But it shows these IPs
access-list 96 permit 172.16.x.10
access-list 96 permit 172.16.x.9
So need to know are these IPs of other switches and routers in network?
Secondly i read to use command snmp server host command to identify SNMP manager.
But in this config there is no snmp server host command.
snmp-server community RO 99
snmp-server community RW 99
snmp-server community RO 96
snmp-server location
snmp-server contact
snmp-server system-shutdown
snmp-server enable traps license
snmp ifmib ifalias long
snmp ifmib ifindex persist
when i do sh snmp host on switch there is no output.
when i do sh acl it shows
acl 96
60 permit 172.16.x.10 (7783560 matches)
70 permit 172.16.x.9 (7030820 matches)
acl 99
Standard IP access list 99
20 permit 172.16.x.206 (4969692 matches)
40 permit 172.16.x.5 (1261582 matches)
30 permit 172.16.x.18 (692704 matches)
50 permit 172.31.x.71 (81712 matches)
60 deny any log (4 matches)
So need to know is this device sending SNMP traps to some manager as there is no host command in SNMP config?
Thanks
mahesh
Solved! Go to Solution.
02-06-2013 11:12 AM
When you configure the command "snmp-server community test RO 96" this translates to mean only hosts permitted in access-list 96 will be able to use the community string "test" to connect to this device and that they will only be able to read from the device, not write to it.
The hosts that are permitted to read or write SNMP to a network device are typically network monitoring tools (servers) or the workstations of the network engineers who maintain the device. However just because the device is permitted to read from the device will not mean the device sends traps to it automatically. If you want the device to send traps to a device you would need to use the "snmp-sever host
02-06-2013 11:15 AM
Mahesh,
The acl restricts the device from being polled from non-authorized managment agents. In your example, access-list 96 hosts are allowed read-only access to this switch (with whatever community is associated to it), and the access-list 99 hosts are allowed both RW (for whatever community) and RO (for whatever community). Anything that's not explicitly listed in the acl is not allowed to poll this device with snmp. A host doesn't need to be listed for a polling station to poll it. Another example would be something like Orion. Orion will connect to devices with their specified snmp community string, but on devices you'd have an acl only allowing the Orion server to poll it. You don't need a host for that.
HTH,
John
*** Please rate all useful posts ***
02-06-2013 11:37 AM
Correct, It is not sending traps. However SNMP is not limited to traps as a way to pass traffic. The device can be polled for information by the other side. Based on this output it defiantly appears that you have some type of host that is polling your network device. I would suspect this is some type of network monitoring device.
02-06-2013 11:12 AM
When you configure the command "snmp-server community test RO 96" this translates to mean only hosts permitted in access-list 96 will be able to use the community string "test" to connect to this device and that they will only be able to read from the device, not write to it.
The hosts that are permitted to read or write SNMP to a network device are typically network monitoring tools (servers) or the workstations of the network engineers who maintain the device. However just because the device is permitted to read from the device will not mean the device sends traps to it automatically. If you want the device to send traps to a device you would need to use the "snmp-sever host
02-06-2013 11:28 AM
Hi Gregory,
In this case as there is no snmp server host command so does it mean that switch is not sending any traps to any devices?
when i ran the sh snmp command
11321490 SNMP packets input
0 Bad SNMP version errors
28 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
59228952 Number of requested variables
2587 Number of altered variables
8767194 Get-request PDUs
1717520 Get-next PDUs
2875 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
11321462 SNMP packets output
0 Too big errors (Maximum packet size 1500)
910 No such name errors
288 Bad values errors
0 General errors
11321462 Response PDUs
0 Trap PDUs
SNMP global trap: disabled
SNMP logging: disabled
SNMP agent enabled
so packets input and output are which type of packets are these?
are these poll packtes ,trap packets ?
Thanks
mahesh
02-06-2013 11:37 AM
Correct, It is not sending traps. However SNMP is not limited to traps as a way to pass traffic. The device can be polled for information by the other side. Based on this output it defiantly appears that you have some type of host that is polling your network device. I would suspect this is some type of network monitoring device.
02-06-2013 11:15 AM
Mahesh,
The acl restricts the device from being polled from non-authorized managment agents. In your example, access-list 96 hosts are allowed read-only access to this switch (with whatever community is associated to it), and the access-list 99 hosts are allowed both RW (for whatever community) and RO (for whatever community). Anything that's not explicitly listed in the acl is not allowed to poll this device with snmp. A host doesn't need to be listed for a polling station to poll it. Another example would be something like Orion. Orion will connect to devices with their specified snmp community string, but on devices you'd have an acl only allowing the Orion server to poll it. You don't need a host for that.
HTH,
John
*** Please rate all useful posts ***
02-06-2013 12:47 PM
Hi John & Gregory,
Thanks for explaining me about SNMP polling concept.
We do have somes windows and other boxes which send probes to network devices for monitoring purposes.
Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide